Skip to content
Permalink
Browse files Browse the repository at this point in the history
Reinforcement of security.
Signed-off-by: MORITA Shintaro <shin@sysphonic.com>
  • Loading branch information
MORITA Shintaro committed Jul 7, 2015
1 parent ce535a3 commit 8004ee0
Show file tree
Hide file tree
Showing 12 changed files with 84 additions and 49 deletions.
20 changes: 7 additions & 13 deletions app/controllers/application_controller.rb
Expand Up @@ -75,18 +75,18 @@ def render(action=nil, options={}, &blk)
#=== paginate_by_sql
#
def paginate_by_sql(model, sql, per_page, options={})
if options[:count]
if options[:count].blank?
total = model.count_by_sql_wrapping_select_query(sql)
else
if options[:count].is_a?(Integer)
total = options[:count]
else
total = model.count_by_sql(options[:count])
#else
# total = model.count_by_sql(options[:count])
end
else
total = model.count_by_sql_wrapping_select_query(sql)
end

SqlHelper.validate_token([params['page']])
object_pages = model.paginate_by_sql(sql, {:page => params['page'], :per_page => per_page})
#objects = model.find_by_sql_with_limit(sql, object_pages.current.to_sql[1], per_page)
return [object_pages, object_pages, total]
end

Expand All @@ -99,7 +99,7 @@ def gate_process

HistoryHelper.keep_last(request)

@login_user = User.find_by_id(session[:login_user_id])
@login_user = User.find(session[:login_user_id])

begin
if @login_user.nil? \
Expand All @@ -118,12 +118,6 @@ def gate_process

module ActiveRecord
class Base
def self.find_by_sql_with_limit(sql, offset, limit)
sql = sanitize_sql(sql)
add_limit!(sql, {:limit => limit, :offset => offset})
find_by_sql(sql)
end

def self.count_by_sql_wrapping_select_query(sql)
sql = sanitize_sql(sql)
count_by_sql("select count(*) from (#{sql}) as my_table")
Expand Down
22 changes: 14 additions & 8 deletions app/controllers/mail_filters_controller.rb
Expand Up @@ -108,7 +108,10 @@ def show
Log.add_info(request, params.inspect)
end

@mail_filter = MailFilter.find_by_id(params[:id])
begin
@mail_filter = MailFilter.find(params[:id])
rescue => evar
end
if @mail_filter.nil?
render(:text => 'ERROR:' + t('msg.already_deleted', :name => MailFilter.model_name.human))
return
Expand Down Expand Up @@ -225,8 +228,8 @@ def destroy
def do_execute
Log.add_info(request, params.inspect)

mail_account = MailAccount.find_by_id(params[:mail_account_id])
mail_folder = MailFolder.find_by_id(params[:mail_folder_id])
mail_account = MailAccount.find(params[:mail_account_id])
mail_folder = MailFolder.find(params[:mail_folder_id])

if mail_account.user_id != @login_user.id \
or mail_folder.user_id != @login_user.id
Expand Down Expand Up @@ -258,8 +261,9 @@ def get_order
Log.add_info(request, params.inspect)

mail_account_id = params[:mail_account_id]
SqlHelper.validate_token([mail_account_id])

@mail_account = MailAccount.find_by_id(mail_account_id)
@mail_account = MailAccount.find(mail_account_id)

if @mail_account.user_id != @login_user.id
flash[:notice] = t('msg.need_to_be_owner')
Expand All @@ -285,9 +289,11 @@ def update_order
Log.add_info(request, params.inspect)

mail_account_id = params[:mail_account_id]
order_ary = params[:mail_filters_order]
order_arr = params[:mail_filters_order]

SqlHelper.validate_token([mail_account_id])

@mail_account = MailAccount.find_by_id(mail_account_id)
@mail_account = MailAccount.find(mail_account_id)

if @mail_account.user_id != @login_user.id
render(:text => 'ERROR:' + t('msg.need_to_be_owner'))
Expand All @@ -301,8 +307,8 @@ def update_order
id_a = filter_a.id.to_s
id_b = filter_b.id.to_s

idx_a = order_ary.index(id_a)
idx_b = order_ary.index(id_b)
idx_a = order_arr.index(id_a)
idx_b = order_arr.index(id_b)

if idx_a.nil? or idx_b.nil?
idx_a = filters.index(id_a)
Expand Down
30 changes: 22 additions & 8 deletions app/controllers/mail_folders_controller.rb
Expand Up @@ -302,7 +302,7 @@ def get_mail_attachments

email_id = params[:id]

email = Email.find_by_id(email_id)
email = Email.find(email_id)
if email.nil? or email.user_id != @login_user.id
render(:text => '')
return
Expand All @@ -327,14 +327,20 @@ def get_mail_attachment
Log.add_info(request, params.inspect)

attached_id = params[:id].to_i
mail_attach = MailAttachment.find_by_id(attached_id)
begin
mail_attach = MailAttachment.find(attached_id)
rescue => evar
end

if mail_attach.nil?
redirect_to(THETIS_RELATIVE_URL_ROOT + '/404.html')
return
end

email = Email.find_by_id(mail_attach.email_id)
begin
email = Email.find(mail_attach.email_id)
rescue => evar
end
if email.nil? or email.user_id != @login_user.id
render(:text => '')
return
Expand Down Expand Up @@ -438,7 +444,10 @@ def ajax_delete_mails
params[:check_mail].each do |email_id, value|
next if value != '1'

email = Email.find_by_id(email_id)
begin
email = Email.find(email_id)
rescue => evar
end
next if email.nil? or (email.user_id != @login_user.id)

if trash_folder.nil? \
Expand Down Expand Up @@ -473,7 +482,11 @@ def ajax_move_mails
Log.add_info(request, params.inspect)

folder_id = params[:thetisBoxSelKeeper].split(':').last
mail_folder = MailFolder.find_by_id(folder_id)
SqlHelper.validate_token([folder_id])
begin
mail_folder = MailFolder.find(folder_id)
rescue => evar
end

if folder_id == '0' \
or mail_folder.nil? \
Expand Down Expand Up @@ -541,15 +554,16 @@ def get_folders_order
def update_folders_order
Log.add_info(request, params.inspect)

order_ary = params[:folders_order]
order_arr = params[:folders_order]

SqlHelper.validate_token([params[:id]])
folders = MailFolder.get_childs(params[:id], false, false)
# folders must be ordered by xorder ASC.

folders.sort! { |id_a, id_b|

idx_a = order_ary.index(id_a)
idx_b = order_ary.index(id_b)
idx_a = order_arr.index(id_a)
idx_b = order_arr.index(id_b)

if idx_a.nil? or idx_b.nil?
idx_a = folders.index(id_a)
Expand Down
1 change: 1 addition & 0 deletions app/controllers/workflows_controller.rb
Expand Up @@ -103,6 +103,7 @@ def move

unless params[:thetisBoxSelKeeper].nil?
folder_id = params[:thetisBoxSelKeeper].split(':').last
SqlHelper.validate_token([folder_id])

workflow = Workflow.find(params[:id])

Expand Down
6 changes: 5 additions & 1 deletion app/helpers/mail_filters_helper.rb
Expand Up @@ -413,8 +413,12 @@ def self.execute_actions(mail_filter, email, actions)
def self.execute_action_move(mail_filter, email, val)

mail_folder_id = val
SqlHelper.validate_token([mail_folder_id])

mail_folder = MailFolder.find_by_id(mail_folder_id)
begin
mail_folder = MailFolder.find(mail_folder_id)
rescue => evar
end
if !mail_folder.nil? and (mail_folder.user_id == email.user_id)
email.update_attribute(:mail_folder_id, mail_folder_id)
end
Expand Down
15 changes: 12 additions & 3 deletions app/models/address.rb
Expand Up @@ -210,7 +210,8 @@ def self.check_csv_header(row, book)
def self.parse_csv_row(row, book, idxs, user)

imp_id = (idxs[0].nil? or row[idxs[0]].nil?)?(nil):(row[idxs[0]].strip)
unless imp_id.nil? or imp_id.empty?
SqlHelper.validate_token([imp_id])
unless imp_id.blank?
org_address = Address.find_by_id(imp_id)
end

Expand Down Expand Up @@ -305,7 +306,11 @@ def check_import(mode, address_names) #, address_emails
if (/^|([0-9]+|)+$/ =~ self.groups) == 0

self.get_groups_a.each do |group_id|
group = Group.find_by_id(group_id)
begin
group = Group.find(group_id)
rescue => evar
group = nil
end
if group.nil?
err_msgs << I18n.t('address.import.not_valid_groups') + ': '+group_id.to_s
break
Expand All @@ -322,7 +327,11 @@ def check_import(mode, address_names) #, address_emails
if (/^|([0-9]+|)+$/ =~ self.teams) == 0

self.get_teams_a.each do |team_id|
team = Team.find_by_id(team_id)
begin
team = Team.find(team_id)
rescue => evar
team = nil
end
if team.nil?
err_msgs << I18n.t('address.import.not_valid_teams') + ': '+team_id.to_s
break
Expand Down
4 changes: 1 addition & 3 deletions app/models/comment.rb
Expand Up @@ -104,8 +104,7 @@ def attachments_without_content
rescue => evar
Log.add_error(nil, evar)
end
attachments = [] if attachments.nil?
return attachments
return (attachments || [])
end

#=== self.get_toys
Expand Down Expand Up @@ -160,5 +159,4 @@ def self.get_feeds(user, root_url, users_cache = nil)
end
return entries
end

end
2 changes: 1 addition & 1 deletion app/models/email.rb
Expand Up @@ -53,7 +53,7 @@ class Email < ActiveRecord::Base
# FEATURE_MAIL_STRICT_CAPACITY >>>
if (email.status != Email::STATUS_TEMPORARY) \
and (email.size > org_size)
mail_account = MailAccount.find_by_id(email.mail_account_id)
mail_account = MailAccount.find(email.mail_account_id)
max_size = mail_account.get_capacity_mb * 1024 * 1024
con = "(id != #{email.id})" unless email.id.nil?
cur_size = MailAccount.get_using_size(mail_account.id, con)
Expand Down
6 changes: 5 additions & 1 deletion app/models/item.rb
Expand Up @@ -68,7 +68,11 @@ def is_a_copy?(folder_obj_cache=nil)
return false if self.source_id.nil?

# Exclude those created from system templates.
src_item = Item.find_by_id(self.source_id)
begin
src_item = Item.find(self.source_id)
rescue => evar
src_item = nil
end
if src_item.nil?
return true
else
Expand Down
18 changes: 9 additions & 9 deletions app/models/toy.rb
Expand Up @@ -125,7 +125,7 @@ def self.get_for_user(user)
return [] if user.nil?

toys = Toy.where("user_id=#{user.id}").to_a
deleted_ary = []
deleted_arr = []

return [] if toys.nil?

Expand All @@ -134,48 +134,48 @@ def self.get_for_user(user)
when Toy::XTYPE_ITEM
item = Item.find_by_id(toy.target_id)
if item.nil?
deleted_ary << toy
deleted_arr << toy
next
end
Toy.copy(toy, item)

when Toy::XTYPE_COMMENT
comment = Comment.find_by_id(toy.target_id)
if comment.nil?
deleted_ary << toy
deleted_arr << toy
next
end
Toy.copy(toy, comment)

when Toy::XTYPE_WORKFLOW
workflow = Workflow.find_by_id(toy.target_id)
if workflow.nil?
deleted_ary << toy
deleted_arr << toy
next
end
Toy.copy(toy, workflow)

when Toy::XTYPE_SCHEDULE
schedule = Schedule.find_by_id(toy.target_id)
if schedule.nil?
deleted_ary << toy
deleted_arr << toy
next
end
Toy.copy(toy, schedule)

when Toy::XTYPE_FOLDER
folder = Folder.find_by_id(toy.target_id)
if folder.nil?
deleted_ary << toy
deleted_arr << toy
next
end
Toy.copy(toy, folder)
end
end

deleted_ary.each do |toy|
toys.delete toy
Toy.destroy toy.id
deleted_arr.each do |toy|
toys.delete(toy)
Toy.destroy(toy.id)
end

return toys
Expand Down
6 changes: 5 additions & 1 deletion app/models/user.rb
Expand Up @@ -1131,7 +1131,11 @@ def check_import(mode, user_names) #, user_emails
if (/^|([0-9]+|)+$/ =~ self.groups) == 0

self.get_groups_a.each do |group_id|
group = Group.find_by_id(group_id)
begin
group = Group.find(group_id)
rescue => evar
group = nil
end
if group.nil?
err_msgs << I18n.t('user.import.not_valid_groups') + ': '+group_id.to_s
break
Expand Down
3 changes: 2 additions & 1 deletion app/views/mail_filters/_mail_filter_form.html.erb
Expand Up @@ -6,7 +6,8 @@ if params[:mail_account_id].blank?
else
mail_account_id = params[:mail_account_id]
end
mail_account = MailAccount.find_by_id(mail_account_id)
SqlHelper.validate_token([mail_account_id])
mail_account = MailAccount.find(mail_account_id)
%>
<%= render(:partial => 'common/error', :locals => {:obj => @mail_filter}) %>
Expand Down

0 comments on commit 8004ee0

Please sign in to comment.